[Zeek] ja3 & ja3s with resumed tls

Daniel Guerra daniel.guerra69 at gmail.com
Thu Jan 10 16:19:58 PST 2019


Hi Johanna

I was thinking the same but after the results i became insecure about this.
I have attached 2 examples.

Daniel

Example 1

resumed false 

{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "client_cert_chain_fuids": "[]",
    "curve": "secp256r1",
    "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
    "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82",
    "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US",
    "cert_chain_fuids": [
      "FwvSeKet5kqNoujSf",
      "FNxask2v3HjNVTB5ff"
    ],
    "dest_asname": "AppNexus, Inc",
    "next_protocol": "http/1.1",
    "type": "tls",
    "version": "TLSv12",
    "sni": "ib.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 58443,
    "uid": "Cfc50Q1EnIW0GAYWch",
    "dest_ip": "37.252.172.40",
    "validation_status": "ok",
    "resumed": false,
    "ja3": "b20b44b18b853ef29ab773e921b03422",
    "dest_port": 443,
    "timestamp": "2018-12-16T17:16:44.801Z"
  }

next resumed true

{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0",
    "dest_asname": "AppNexus, Inc",
    "next_protocol": "http/1.1",
    "type": "tls",
    "version": "TLSv12",
    "sni": "ib.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 58446,
    "uid": "CyYQVc1FuxLDABqxpj",
    "dest_ip": "37.252.172.40",
    "resumed": true,
    "ja3": "334da95730484a993c6063e36bc90a47",
    "dest_port": 443,
    "timestamp": "2018-12-16T17:16:45.071Z"
  }

Example 2

resumed false

{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "client_cert_chain_fuids": "[]",
    "curve": "secp256r1",
    "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
    "ja3s": "cabc8aadc20a64fa7156022319d177c0",
    "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US",
    "cert_chain_fuids": [
      "FCxxdLhSpJHRDMYv4",
      "FYW4Fs3VrkciMfUhc6"
    ],
    "dest_asname": "AppNexus, Inc",
    "next_protocol": "http/1.1",
    "type": "tls",
    "version": "TLSv12",
    "sni": "secure.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 55912,
    "uid": "CvUDsF40fhpESTJlLd",
    "dest_ip": "37.252.172.40",
    "validation_status": "ok",
    "resumed": false,
    "ja3": "5c118da645babe52f060d0754256a73c",
    "dest_port": 443,
    "timestamp": "2018-12-27T15:43:45.898Z"
  }

resumed true
{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "ja3s": "93174bff9e6f484d06ff9552fe757554",
    "dest_asname": "AppNexus, Inc",
    "type": "tls",
    "version": "TLSv12",
    "sni": "secure.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 55927,
    "uid": "Ctr8MRZepl9Z0r6E6",
    "dest_ip": "37.252.172.40",
    "resumed": true,
    "ja3": "7b1ac424884b798ca987e3e27b99d1a8",
    "dest_port": 443,
    "timestamp": "2018-12-27T15:43:46.019Z"
  }

Op 10-01-19 om 15:40 schreef Johanna Amann:
> Hi Daniel,
>
> unless I am missing something, there should be no difference in the
> signature of a resumed and a new connection for JA3. I don’t remember
> them hashing anything in that has to do with session resumption.
>
> Johanna
>
>
> On 10 Jan 2019, at 5:02, Daniel Guerra wrote:
>
>> Hi,
>>
>> I'm researching ja3 and ja3s tls signatures.
>>
>> With resumed tls connections there is no complete
>>
>> handshake etc. Does it make sense to calculate a ja3
>>
>> on resumed tls ?
>>
>> Regards,
>>
>> Daniel
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


More information about the Zeek mailing list